{ "name": "A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail", "slug": "a-third-vultr-seoul-box-60-kimsuky-domains-18-months-of-ddns-rotation-and-a-5-year-infrastructure-trail", "description": "This analysis documents a third Vultr Seoul VPS (158.247.210.58) associated with Kimsuky operations, featuring over 60 domains across an 18-month period of systematic credential harvesting infrastructure. The actor demonstrates deliberate rotation through seven DDNS providers to evade blocklisting while maintaining the same backend VPS since at least September 2020. The domains systematically impersonate Naver, Korean National Tax Service (HomeTax), and government portals using prefixes like nid-user, n-store, nts-auth, and htax-login. Currently, 31 domains actively resolve while web ports remain closed, indicating a parked and ready operational posture. The infrastructure sits in AS20473 alongside two previously documented Vultr Seoul boxes, demonstrating the actor's clear preference for this provider and geographic proximity to South Korean targets.", "published": "2026-04-28T08:06:27.309000+00:00", "created_at": "2026-04-28T14:35:43.339000+00:00", "modified_at": "2026-04-28T12:35:43+00:00", "created_at_opencti": "2026-04-28T14:35:43.339000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "apt43", "credential harvesting", "ddns rotation", "dprk", "korean nts", "naver", "phishing infrastructure", "vultr seoul" ], "tags": [ "2026-04-28", "apt43", "credential harvesting", "ddns rotation", "dprk", "korean nts", "naver", "phishing infrastructure", "vultr seoul" ], "related_entities": { "indicators": [ { "id": "b8372a62-ff19-4bc1-8689-c9bbefeb5a13", "name": "nid-user.mydns.bz" }, { "id": "09ed63ae-af04-4c4f-893d-58dba61186ce", "name": "nid-store.govkr.dns.army" }, { "id": "76c4dd09-19ff-471c-9847-8238afb5f78c", "name": "nts-store.n-login.dns.navy" }, { "id": "6e933eff-8cc5-4aa1-b7c5-d94c40ea7961", "name": "nuser-login.mydns.bz" }, { "id": "f495d763-5297-4199-bab4-fa2c7644a405", "name": "n-cloud.htax-store.dns.navy" }, { "id": "40c672cf-507e-4499-9da1-289356ce905a", "name": "nid-auth.n-cloud.dns.navy" }, { "id": "76ad2693-8bc6-4bc1-b1c5-50bdcf558f21", "name": "htax-login.nts-kr.dns.army" }, { "id": "e90f6713-8aab-4116-95a0-848a0cbd2945", "name": "nts-nid.n-login.kro.kr" }, { "id": "9012fb04-fd6f-4b13-a7e0-0a4251c2c466", "name": "johnnytogdstudio.xyz" }, { "id": "9c8170c8-577d-4559-9638-506cb63d681a", "name": "mdlog.mydns.vc" }, { "id": "7019b3de-bc40-4493-818a-cd16255912ff", "name": "nid-store.mydns.bz" }, { "id": "fa5ac46b-4c62-4b9a-b948-cacc0ffbcde3", "name": "htax-login.mydns.vc" }, { "id": "19ceb390-0e7b-4d15-8b0e-3e5c57f43c06", "name": "nid-user.nts-auth.dns.army" }, { "id": "045cfec5-6544-40e4-bd8f-302ea8780c51", "name": "nts-login.mydns.vc" }, { "id": "997ba597-4d1f-4b00-ab99-7df588c0e7d5", "name": "nid-login.mydns.vc" }, { "id": "b04198a0-dd91-4df2-8213-272d215ea66d", "name": "n-corp.htax-auth.dns.navy" }, { "id": "e2ad91ed-7fa1-4c69-ae13-455380440d77", "name": "tax-login.mydns.vc" }, { "id": "769089f3-c463-44b2-97fe-7cbfc30359c2", "name": "htax-nid.mydns.vc" }, { "id": "0acba4bf-5e4f-4e12-a331-d9c14fa49e52", "name": "n-cloud.nid-tax.kro.kr" }, { "id": "a0709b21-da01-4937-af36-47932562c91b", "name": "n-user.ips-gov.dns.army" }, { "id": "e55a2313-0d8d-40a5-b2b1-453c4dd7510b", "name": "htax-nid.n-user.dns.navy" }, { "id": "42cc0dae-c721-489f-a4a3-ba65091be633", "name": "tax-user.nid-gov.dns.army" }, { "id": "d30aae6d-c7ca-4764-901c-af7dca5e6106", "name": "n-store.mydns.vc" }, { "id": "fc7fa2eb-5f57-4ae3-99ca-ce20afb830d6", "name": "govkr-auth.mydns.bz" }, { "id": "6567e622-e9a4-4108-a4fa-f1552722bb91", "name": "n-corp.mydns.bz" }, { "id": "f70cf4b6-006d-4939-8f47-4bb55fa673d9", "name": "n-store.nts-user.kro.kr" }, { "id": "802d042a-39c7-4e6d-904d-f8d87db7dfa3", "name": "nid-login.nts-gov.dns.army" }, { "id": "d8ac4ccb-35f2-4b17-9938-6296ffb0c1cf", "name": "n-login.htax-nid.dns.navy" }, { "id": "65fa0d2c-8c9a-40aa-b796-628099b23a5d", "name": "tax-nid.mydns.bz" }, { "id": "8194e27d-1770-4145-87cb-144c1688b466", "name": "n-cloud.mydns.bz" }, { "id": "97341cc3-dd78-40e4-ba39-0668abe85ef4", "name": "govkr-tax.nid-auth.kro.kr" }, { "id": "7d8eddda-2fbf-47a3-a1ce-b8b11c9e7a50", "name": "n-user.htax-auth.kro.kr" }, { "id": "dbf505f5-8f9d-4a78-9c08-46f841f4a223", "name": "ips-govkr.mydns.bz" }, { "id": "6672fe0d-2160-455a-baa6-224e5f8ef482", "name": "htax-login.n-cloud.kro.kr" }, { "id": "a1e20bf4-ed3d-488b-8d63-2209a5c20f5e", "name": "n-auth.nts-login.dns.navy" }, { "id": "d7a036ee-0537-4294-bb4b-576de9b4d07e", "name": "htax-user.govkr.kro.kr" }, { "id": "1b14e5ae-b6f0-412d-a691-8d0b5f6de5dd", "name": "tax-login.n-corp.kro.kr" }, { "id": "8ffb8e8c-fdd6-4aa9-a0db-e24d73a24f84", "name": "n-store.tax-nid.dns.navy" }, { "id": "5b5126c3-c21b-4db9-a946-603cf53bab52", "name": "nuser-login.govkr.dns.army" }, { "id": "3a9e2760-8492-4af1-be5d-cec00cdc6806", "name": "nid-nts.n-store.kro.kr" }, { "id": "3dcd1453-8034-4095-ad9f-0a63cb6f8ead", "name": "nts-auth.mydns.vc" }, { "id": "670062cf-1bad-4ec4-b06c-0b9c1385ce9e", "name": "n-auth.mydns.bz" }, { "id": "49a8e6e1-9d56-4736-9bac-f3c9582da188", "name": "govkr-nid.tax-auth.dns.army" }, { "id": "2a54279d-d40d-4469-836f-a0b1b66f3e6e", "name": "nts-login.n-auth.kro.kr" }, { "id": "c9deeed9-0f73-4c3f-a6e8-1009c54cf89f", "name": "nid-gov.tax-store.kro.kr" } ], "intrusion_sets": [ { "id": "294d962a-b24e-446b-8e2d-3706cb1316b3", "name": "Kimsuky", "slug": "kimsuky" } ], "observables": [ { "id": "ba7dbdc9-dee4-4250-bee4-07f8ffc57002", "name": "johnnytogdstudio.xyz" }, { "id": "67626f33-74a3-46cb-a62b-3a4d13453d0e", "name": "htax-nid.mydns.vc" }, { "id": "82946a2a-8990-4464-ba70-1a59aec4d3db", "name": "nts-login.n-auth.kro.kr" }, { "id": "f4b49afb-7580-47c0-af1a-a8a47525f53c", "name": "n-auth.nts-login.dns.navy" }, { "id": "9d23cdc6-56c6-471a-8a7b-27c16e2989d1", "name": "nts-auth.mydns.vc" }, { "id": "34db7025-7a1b-4ebb-8101-d885f62e93ac", "name": "n-user.ips-gov.dns.army" }, { "id": "f80c8150-7eb6-471b-acb8-817d52f7b98a", "name": "n-store.nts-user.kro.kr" }, { "id": "d95e666f-a42c-4c04-a00f-d7324029c69e", "name": "n-login.htax-nid.dns.navy" }, { "id": "495d06d7-30f9-431a-adc2-54cbdd71713c", "name": "nid-user.mydns.bz" }, { "id": "19a8abdc-6808-45f4-a1f3-d497a8b5ff13", "name": "n-cloud.nid-tax.kro.kr" }, { "id": "590331cd-8453-4441-b216-84ffdb620146", "name": "tax-nid.mydns.bz" }, { "id": "de69e10c-a679-4efc-920e-47d1ba6f3d6e", "name": "nuser-login.govkr.dns.army" }, { "id": "b2f07dec-a69b-4101-a17e-2d0694971a1b", "name": "n-user.htax-auth.kro.kr" }, { "id": "36b3a330-264f-40de-b111-46f28ca0b879", "name": "htax-login.n-cloud.kro.kr" }, { "id": "0dd6b28a-6c63-4f88-b43c-266e1ddaa40e", "name": "tax-login.n-corp.kro.kr" }, { "id": "ea41adb2-75b8-4810-bb56-6e369697d0f3", "name": "govkr-nid.tax-auth.dns.army" }, { "id": "054b5d4d-3516-427c-8b01-3d857a315f6a", "name": "nid-store.mydns.bz" }, { "id": "86303236-f77d-46fd-b3bb-63809adb7598", "name": "nuser-login.mydns.bz" }, { "id": "3820408e-3a4b-4b67-af33-9cb2d23fdbc8", "name": "nid-auth.n-cloud.dns.navy" }, { "id": "248928f5-33b3-4d0e-993f-377b2e1ad9b5", "name": "nid-login.nts-gov.dns.army" }, { "id": "11baa70e-172f-4f6b-a81c-34dd251cb008", "name": "govkr-tax.nid-auth.kro.kr" }, { "id": "f65b8859-f4a9-45b0-9cfb-6dafee6b0b9e", "name": "nid-login.mydns.vc" }, { "id": "9f9ab041-6e68-46ab-96c7-5e54e18ce610", "name": "htax-login.nts-kr.dns.army" }, { "id": "2d2210d8-98c3-4305-b417-e580b8179749", "name": "govkr-auth.mydns.bz" }, { "id": "08b51f94-bf83-4c7c-8bab-fcbd8862ed63", "name": "n-store.mydns.vc" }, { "id": "3222566c-9dab-47bc-a9a7-10749a34ced2", "name": "n-corp.htax-auth.dns.navy" }, { "id": "6a608662-279e-4811-99ce-92be5e127c46", "name": "htax-nid.n-user.dns.navy" }, { "id": "6fb0ce51-f9d7-43b7-9668-f82d90fba207", "name": "htax-login.mydns.vc" }, { "id": "36710872-3beb-4ca2-992a-490a07889589", "name": "nts-nid.n-login.kro.kr" }, { "id": "ce0d0cae-00f9-458a-acb8-7c85cf78cf4f", "name": "nts-login.mydns.vc" }, { "id": "bfb41792-3481-4885-b143-987fff7c0f87", "name": "n-auth.mydns.bz" }, { "id": "c7dd83d5-fc38-4470-a764-c6ac2e7233dd", "name": "nid-user.nts-auth.dns.army" }, { "id": "5b041bb3-b2ff-4491-a5e6-6fda8fb2fae2", "name": "tax-login.mydns.vc" }, { "id": "552dc272-bfd9-478d-85e3-c1f45ef96f6f", "name": "nid-store.govkr.dns.army" }, { "id": "83c31674-d4cd-4bad-a01b-a79afe23529d", "name": "n-cloud.htax-store.dns.navy" }, { "id": "fba7cee4-b18c-4bd7-95fc-8907f1139b02", "name": "n-cloud.mydns.bz" }, { "id": "865247f1-696c-4c81-a6c2-937051489a2f", "name": "nid-nts.n-store.kro.kr" }, { "id": "807cdd61-1479-4cbc-8e61-51484cc88952", "name": "n-corp.mydns.bz" }, { "id": "19695f36-e10a-46fb-b1d8-7b0092b0c861", "name": "nid-gov.tax-store.kro.kr" }, { "id": "bb0880c0-e7a0-4652-97a0-e4ce63b82109", "name": "ips-govkr.mydns.bz" }, { "id": "e6097813-545e-4032-a33d-550deb7c2552", "name": "n-store.tax-nid.dns.navy" }, { "id": "bd783192-fead-4c44-8e4e-ccbcea2bb490", "name": "nts-store.n-login.dns.navy" }, { "id": "2fbc6308-e0a5-405f-b23a-5f5ff8a2f4bc", "name": "htax-user.govkr.kro.kr" }, { "id": "8f0184e7-3a3a-444f-84c6-5dddce4e5942", "name": "tax-user.nid-gov.dns.army" }, { "id": "009ad70e-a4d3-424d-9926-dbe3c70cd74d", "name": "mdlog.mydns.vc" } ], "others": [ { "id": "", "name": "Finance" }, { "id": "", "name": "Government" }, { "id": "", "name": "nid-user.mydns.bz" }, { "id": "", "name": "nid-store.govkr.dns.army" }, { "id": "", "name": "nts-store.n-login.dns.navy" }, { "id": "", "name": "nuser-login.mydns.bz" }, { "id": "", "name": "n-cloud.htax-store.dns.navy" }, { "id": "", "name": "nid-auth.n-cloud.dns.navy" }, { "id": "", "name": "htax-login.nts-kr.dns.army" }, { "id": "", "name": "nts-nid.n-login.kro.kr" }, { "id": "", "name": "johnnytogdstudio.xyz" }, { "id": "", "name": "mdlog.mydns.vc" }, { "id": "", "name": "nid-store.mydns.bz" }, { "id": "", "name": "htax-login.mydns.vc" }, { "id": "", "name": "nid-user.nts-auth.dns.army" }, { "id": "", "name": "nts-login.mydns.vc" }, { "id": "", "name": "nid-login.mydns.vc" }, { "id": "", "name": "n-corp.htax-auth.dns.navy" }, { "id": "", "name": "tax-login.mydns.vc" }, { "id": "", "name": "htax-nid.mydns.vc" }, { "id": "", "name": "n-cloud.nid-tax.kro.kr" }, { "id": "", "name": "n-user.ips-gov.dns.army" }, { "id": "", "name": "htax-nid.n-user.dns.navy" }, { "id": "", "name": "tax-user.nid-gov.dns.army" }, { "id": "", "name": "n-store.mydns.vc" }, { "id": "", "name": "govkr-auth.mydns.bz" }, { "id": "", "name": "n-corp.mydns.bz" }, { "id": "", "name": "n-store.nts-user.kro.kr" }, { "id": "", "name": "nid-login.nts-gov.dns.army" }, { "id": "", "name": "n-login.htax-nid.dns.navy" }, { "id": "", "name": "tax-nid.mydns.bz" }, { "id": "", "name": "n-cloud.mydns.bz" }, { "id": "", "name": "govkr-tax.nid-auth.kro.kr" }, { "id": "", "name": "n-user.htax-auth.kro.kr" }, { "id": "", "name": "ips-govkr.mydns.bz" }, { "id": "", "name": "htax-login.n-cloud.kro.kr" }, { "id": "", "name": "n-auth.nts-login.dns.navy" }, { "id": "", "name": "htax-user.govkr.kro.kr" }, { "id": "", "name": "tax-login.n-corp.kro.kr" }, { "id": "", "name": "n-store.tax-nid.dns.navy" }, { "id": "", "name": "nuser-login.govkr.dns.army" }, { "id": "", "name": "nid-nts.n-store.kro.kr" }, { "id": "", "name": "nts-auth.mydns.vc" }, { "id": "", "name": "n-auth.mydns.bz" }, { "id": "", "name": "govkr-nid.tax-auth.dns.army" }, { "id": "", "name": "nts-login.n-auth.kro.kr" }, { "id": "", "name": "nid-gov.tax-store.kro.kr" } ] }, "external_refs": [ { "id": "bc5bded7-2403-4cfd-9ee6-a0a70e95ac96", "standard_id": "external-reference--74c4e840-aeb3-5597-8489-feeb1a1a78b5", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://intel.breakglass.tech/post/kimsuky-third-vultr-seoul-60-domains-ddns-rotation-naver-nts", "hash": null, "external_id": null, "created": "2026-04-28T14:35:35.936Z", "modified": "2026-04-28T14:35:35.936Z", "createdById": null }, { "id": "ec398b23-7fbf-447f-a621-35b6671a91e1", "standard_id": "external-reference--c1ec4311-355e-5a2e-9e70-9b618a041fb2", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/69f06a838f5dae965dd8cbfd", "hash": null, "external_id": "69f06a838f5dae965dd8cbfd", "created": "2026-04-28T14:35:35.910Z", "modified": "2026-04-28T14:35:35.910Z", "createdById": null } ] }